The DevOps operations model has been around for a while, but when it comes to security, it has often been an afterthought. Not that traditional development and deployment models were different, but longer development cycles gave more space to find and fix issues.
DevSecOps: Adding the Sec in DevOps
DevOps dramatically shortens release cycles, but the emphasis on speed and agility often comes at the detriment of security. With enterprises and end users much more aware about security challenges and vastly publicised data leaks, security needs to be integrated early into the development process.
DevSecOps is exactly about this: the goal is to integrate security in the application development stages, to avoid any potential flaws impacting the delivered application. Note the importance of the word « integrating ». The objective isn’t to build insecure applications and then applying security mitigations, but to build applications and code that are secure by default.
State of Software Security Volume X
Like previous reports, SOSS volume 10 provides insights into the most common types of vulnerabilities, practices that lead to improved fix rates, and industry performance.
Read the report to gain valuable perspective on the state of software security today and find more strategies for improving your software security.
Building Secure Applications Starts With Secure Code
This article cannot cover all of the security best practices, but one of they aspects is for the source code to be protected against common security flaws and vulnerabilities.
Building code that is secure by default requires a constant attention to details. Not all developers have the time to safety-check their code as they write it. Not only would it be a time-consuming process, but it would also break the development flow and their creative process.
Also, not all developers may have the necessary knowledge about all potential security flaws or mishaps. Even with thorough training, the likelihood to miss on a specific security flaw still remains high.
How to ensure that applications with short release cycles have their code committed in a timely fashion and without compromising on security?
Taking the IDE route
Today Integrated Development Environments (or IDEs) are used by a vast majority of developers. Not that vi or notepad aren’t cool anymore, but to be productive developers need to have all the tools at the tip of their fingers.
IDEs allow developers not only to code in the language of their choice, but also to use plug-ins to extend the capabilities of their IDE of choice without having to rely on external software.
This is nice to know, but how does that ties in with DevSecOps? Interestingly, IDEs and plug-ins can help developers integrate secure coding into their daily development activities.
Veracode Greenlight
Enter VeraCode Greenlight, an IDE-based security software that dramatically simplifies DevSecOps. Veracode aren’t exactly new in the code scanning space: they claim that over the last ten years, their software offerings have been used to scan over 6 trillion lines of code.
Operating Mode
Veracode seamlessly integrates with developers’ preferred IDEs or continuous integration systems and supports currently several languages: Java, JavaScript, C#, and VB.NET and currently supports the Eclipse, IntelliJ and Visual Studio IDEs.
It scans code in the background as the developer works on it. The scanning happens on the background and can be performed on files, classes or small packages.
A scan typically takes only a few seconds to complete. When an issue is identified, it gets tagged by severity, and Veracode shows the affected line(s) of code.
Interestingly, Greenlight is a SaaS-based plugin which leverages Veracode Cloud services to pull the latest data and reduce false positive rates. This cloud-based platform uses detection data across the entire Veracode customer-base to identify and lower the amount of false positive finds.
Learn-as-you-Code
For every issue, Greenlight also provides an explanation of why the code is insecure, and will provide sample code to show how to fix common issues such as SQL Injections or Cross-Site Scripting (XSS). If the insecure code has an associated CWE rating, the related CWE information will also be shown.
This helps developers not only to fix issues, but to also improve their knowledge of common security flaws, which in turns helps them build better code and become more knowledgeable.
Why Veracode Greenlight Matters
Security isn’t only a concern for developers. Any individual who uses an application somewhere may be impacted by poor security practices.
Greenlight helps developers take care of security before code is compiled, committed or released. By addressing the problem at the source, developers can build better code and reduce the attack surface of their applications.
Productivity is also improved: application release cycles can be spent on improving & adding functionalities to applications instead of fixing unforeseen security flaws and be cast in the dubious spotlight of security research news.
